Dexter

Dexter was first discovered in December 2012 and continues to infect machines via phishing emails or by exploiting default system access credentials. This malware infects Windows operating system servers and scrapes credit card data as it is entered on the compromised machine. Additionally, after infecting the target PoS system, Dexter parses memory dumps for PoS processes containing Track 1 and Track 2 card data and blacklists processes unlikely to contain that data. It simultaneously monitors changes in the system and maintains persistence by injecting itself into the Windows Explorer executable file and preventing session termination. It also installs a keylogger to collect additional sensitive information such as login credentials and data from manually entered transactions. Dexter then communicates with a C2 server over HTTP (port 80) to transmit the stolen data back to the attacker. Variants of Dexter include ‘Stardust’, ‘Millenium’, and ‘Revelation’.

Reporting

October 2015: British banks lose £20 million to Dexter malware. (Finextra)

Reference in this site to any specific commercial product, process, or service, or the use of any trade, firm or corporation name is for the information and convenience of the public, and does not constitute endorsement, recommendation, or favoring by the NJCCIC and the State of New Jersey.